Sample declarative access control policy

In my previous post I mentioned that we have now released a parser for SecPAL that allows policies to be written in a human readable simplified English grammar. I thought it might be worth including an example - based on the scenario that was used in the GridToday post on Access Control in Grid Computing Environments which (funnily enough) is very similar to the two pages of F# available here and very similar to the C# sample AttributeScenario solution included inside the v1.1 release of SecPAL.

The sample shows the policies being specified in C# using a similar approach to that you might use to specify dynamic SQL. Such policies could just as easily be read from a file etc. In the future I will provide some more advanced samples - including more discussion about each of the samples - but for now just remember that another of SecPAL's strengths is its ability to create generic access control policies through the use of variables. In the simplified English grammar variables are prefixed by % signs. Variables are substituted for concrete values during evaluation. Enjoy...

using System;

using

System.Collections.Generic;

using

System.Text;

using

Microsoft.Research.SecPal.Authorization;

using

Microsoft.Research.SecPal.Parser;

namespace

DeclarativeTest

{

classProgram

{

staticvoid Main(string[] args)

{

// Input policies

// 1. Policy restricting access to a resource to those principals possessing a valid email address

string resourceAccessPolicy =

"LA says %p can read digitalContent:'file://public/' " +

" if %p possesses %a" +

" where %a matches rfc822Name:'.*@microsoft.com' ";

// 2. Policy delegating the rights to an STS to make statements about possession of email attributes

string trustPolicy =

"LA says K-STS can say %p possesses %a" +

" where %a matches rfc822Name:'.*@microsoft.com' ";

// 3. Identity assertion that would normally be included inside a token when the user requests access to a resource